[go: up one dir, main page]

WO2012047555A3 - Secure deployment of provable identity for dynamic application environments - Google Patents

Secure deployment of provable identity for dynamic application environments Download PDF

Info

Publication number
WO2012047555A3
WO2012047555A3 PCT/US2011/053010 US2011053010W WO2012047555A3 WO 2012047555 A3 WO2012047555 A3 WO 2012047555A3 US 2011053010 W US2011053010 W US 2011053010W WO 2012047555 A3 WO2012047555 A3 WO 2012047555A3
Authority
WO
WIPO (PCT)
Prior art keywords
secret
identity
application environments
dynamic application
full
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2011/053010
Other languages
French (fr)
Other versions
WO2012047555A2 (en
Inventor
Ian Jirka
Kahren Tevosyan
Corey Sanders
George M. Moore
Mohit Srivastava
Mark Eugene Russinovich
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsoft Corp
Original Assignee
Microsoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Corp filed Critical Microsoft Corp
Priority to JP2013532829A priority Critical patent/JP5934224B2/en
Priority to EP11831226.3A priority patent/EP2625645B1/en
Priority to AU2011312611A priority patent/AU2011312611B2/en
Priority to CA2813601A priority patent/CA2813601A1/en
Publication of WO2012047555A2 publication Critical patent/WO2012047555A2/en
Publication of WO2012047555A3 publication Critical patent/WO2012047555A3/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45562Creating, deleting, cloning virtual machine instances
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Stored Programmes (AREA)
  • Storage Device Security (AREA)
  • Multi Processors (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

An invention is described for securely deploying a provable identity for virtual machines (VMs) in a dynamic environment. In an embodiment, a fabric controller instructs a VM host to create a VM and sends that VM a secret. The fabric controller sends that same secret (or a second secret, such as the private key of a public/private key pair) to the security token service along with an instruction to make an account for the VM. The VM presents proof that it possesses the secret to the security token service and in return receives a full token. When a client connects to the deployment, it receives the public key from the security token service, which it trusts, and the full token from the VM. It validates the full token with the public key to determine that the VM has the identity that it purports to have.
PCT/US2011/053010 2010-10-08 2011-09-23 Secure deployment of provable identity for dynamic application environments Ceased WO2012047555A2 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
JP2013532829A JP5934224B2 (en) 2010-10-08 2011-09-23 Secure deployment of provable identities in dynamic application environments
EP11831226.3A EP2625645B1 (en) 2010-10-08 2011-09-23 Secure deployment of provable identity for dynamic application environments
AU2011312611A AU2011312611B2 (en) 2010-10-08 2011-09-23 Secure deployment of provable identity for dynamic application environments
CA2813601A CA2813601A1 (en) 2010-10-08 2011-09-23 Secure deployment of provable identity for dynamic application environments

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US12/901,445 2010-10-08
US12/901,445 US8990562B2 (en) 2010-10-08 2010-10-08 Secure deployment of provable identity for dynamic application environments

Publications (2)

Publication Number Publication Date
WO2012047555A2 WO2012047555A2 (en) 2012-04-12
WO2012047555A3 true WO2012047555A3 (en) 2012-05-31

Family

ID=45885938

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2011/053010 Ceased WO2012047555A2 (en) 2010-10-08 2011-09-23 Secure deployment of provable identity for dynamic application environments

Country Status (7)

Country Link
US (1) US8990562B2 (en)
EP (1) EP2625645B1 (en)
JP (1) JP5934224B2 (en)
CN (1) CN102404117B (en)
AU (1) AU2011312611B2 (en)
CA (1) CA2813601A1 (en)
WO (1) WO2012047555A2 (en)

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9619662B1 (en) * 2011-01-13 2017-04-11 Google Inc. Virtual network pairs
US9135037B1 (en) * 2011-01-13 2015-09-15 Google Inc. Virtual network protocol
EP2668737A4 (en) * 2011-01-28 2016-01-06 Royal Canadian Mint Monnaie Royale Canadienne Controlled security domains
US9361162B1 (en) * 2011-08-26 2016-06-07 Amazon Technologies, Inc. Executing threads of an application across multiple computing devices in a distributed virtual machine environment
US9992024B2 (en) * 2012-01-25 2018-06-05 Fujitsu Limited Establishing a chain of trust within a virtual machine
US9367360B2 (en) * 2012-01-30 2016-06-14 Microsoft Technology Licensing, Llc Deploying a hardware inventory as a cloud-computing stamp
US9917736B2 (en) 2012-01-30 2018-03-13 Microsoft Technology Licensing, Llc Automated standalone bootstrapping of hardware inventory
US8910161B2 (en) * 2012-07-13 2014-12-09 Vmware, Inc. Scan systems and methods of scanning virtual machines
EP3014507B1 (en) 2013-06-27 2018-04-04 Intel Corporation Continuous multi-factor authentication
CN105282122B (en) * 2014-07-22 2019-07-12 中兴通讯股份有限公司 Information security realization method and system based on digital certificate
CN104168292A (en) * 2014-09-01 2014-11-26 宇龙计算机通信科技(深圳)有限公司 Dynamic instruction processing method, dynamic instruction processing device and terminal
US9912478B2 (en) 2015-12-14 2018-03-06 International Business Machines Corporation Authenticating features of virtual server system
US10228924B2 (en) * 2016-04-19 2019-03-12 International Business Machines Corporation Application deployment and monitoring in a cloud environment to satisfy integrity and geo-fencing constraints
US10031735B2 (en) 2016-09-30 2018-07-24 International Business Machines Corporation Secure deployment of applications in a cloud computing platform
CN109688098B (en) * 2018-09-07 2022-05-20 平安科技(深圳)有限公司 Method, device and equipment for secure communication of data and computer readable storage medium
US11586470B2 (en) * 2019-08-07 2023-02-21 International Business Machines Corporation Scalable workflow engine with a stateless orchestrator
US12495039B2 (en) 2020-03-25 2025-12-09 Schlumberger Technology Corporation Integrated authentication system and method
US11762671B2 (en) * 2021-11-08 2023-09-19 Smashcut, Inc. Virtualization-based collaborative activity framework with predictive preloading of virtual machines
US11695772B1 (en) * 2022-05-03 2023-07-04 Capital One Services, Llc System and method for enabling multiple auxiliary use of an access token of a user by another entity to facilitate an action of the user

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070174429A1 (en) * 2006-01-24 2007-07-26 Citrix Systems, Inc. Methods and servers for establishing a connection between a client system and a virtual machine hosting a requested computing environment
US20080228865A1 (en) * 2007-03-15 2008-09-18 Nazareno Brier Cruzada Electronic personal computing and videophone system consisting of a remote server system providing dynamic, subscription based virtual computing services & resources, a thin client hardware device connected to a television set and wireless keyboard & mouse, and a wireless mobile device (a Pocket PC Phone)
US20100042636A1 (en) * 2008-08-13 2010-02-18 Inventec Corporation Internet server system, method of creating virtual machine of the internet server and method of starting the same
US20100131654A1 (en) * 2008-11-25 2010-05-27 Microsoft Corporation Platform for enabling terminal services virtualization

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4671619B2 (en) * 2004-03-31 2011-04-20 富士通株式会社 Terminal validity guarantee system and terminal validity guarantee method
EP1826979A1 (en) * 2006-02-27 2007-08-29 BRITISH TELECOMMUNICATIONS public limited company A system and method for establishing a secure group of entities in a computer network
JP4778358B2 (en) * 2006-05-15 2011-09-21 日本電信電話株式会社 Destination customer protection system, method and program
US20080104393A1 (en) 2006-09-28 2008-05-01 Microsoft Corporation Cloud-based access control list
US8751815B2 (en) 2006-10-25 2014-06-10 Iovation Inc. Creating and verifying globally unique device-specific identifiers
JP2008171076A (en) * 2007-01-09 2008-07-24 Vision Arts Kk Job execution device and its control method
CN101022339A (en) 2007-03-23 2007-08-22 郭传真 Electronic sign stamp identifying method combined with digital centifi cate and stamp
US8881253B2 (en) * 2007-03-28 2014-11-04 Symantec Corporation Method and apparatus for accepting a digital identity of a user based on transitive trust among parties
US8418222B2 (en) 2008-03-05 2013-04-09 Microsoft Corporation Flexible scalable application authorization for cloud computing environments
US8108912B2 (en) 2008-05-29 2012-01-31 Red Hat, Inc. Systems and methods for management of secure data in cloud-based network
JP2010165231A (en) * 2009-01-16 2010-07-29 Panasonic Corp Server authentication method and client terminal
JP5419501B2 (en) * 2009-03-16 2014-02-19 キヤノン株式会社 Information processing system and processing method thereof
US8959510B2 (en) * 2009-03-19 2015-02-17 Red Hat, Inc. Providing a trusted environment for provisioning a virtual machine
US20120054491A1 (en) * 2010-08-31 2012-03-01 Peter John Tippett Re-authentication in client-server communications

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070174429A1 (en) * 2006-01-24 2007-07-26 Citrix Systems, Inc. Methods and servers for establishing a connection between a client system and a virtual machine hosting a requested computing environment
US20080228865A1 (en) * 2007-03-15 2008-09-18 Nazareno Brier Cruzada Electronic personal computing and videophone system consisting of a remote server system providing dynamic, subscription based virtual computing services & resources, a thin client hardware device connected to a television set and wireless keyboard & mouse, and a wireless mobile device (a Pocket PC Phone)
US20100042636A1 (en) * 2008-08-13 2010-02-18 Inventec Corporation Internet server system, method of creating virtual machine of the internet server and method of starting the same
US20100131654A1 (en) * 2008-11-25 2010-05-27 Microsoft Corporation Platform for enabling terminal services virtualization

Also Published As

Publication number Publication date
CA2813601A1 (en) 2012-04-12
US20120089833A1 (en) 2012-04-12
US8990562B2 (en) 2015-03-24
EP2625645A4 (en) 2017-05-03
WO2012047555A2 (en) 2012-04-12
EP2625645B1 (en) 2020-10-07
AU2011312611B2 (en) 2014-05-29
CN102404117B (en) 2015-05-20
CN102404117A (en) 2012-04-04
AU2011312611A1 (en) 2013-05-02
JP5934224B2 (en) 2016-06-15
JP2013540323A (en) 2013-10-31
EP2625645A2 (en) 2013-08-14

Similar Documents

Publication Publication Date Title
WO2012047555A3 (en) Secure deployment of provable identity for dynamic application environments
PH12021552889A1 (en) Mitigation of ransomware in integrated, isolated applications
WO2015134760A3 (en) Secure hardware for cross-device trusted applications
WO2016010665A8 (en) Apparatus for and method of preventing unsecured data access
HK1220781A1 (en) Method and system for identity-based authentication of virtual machines
EP2657879A3 (en) Security controlled multi-processor system
SG10201901366WA (en) Key exchange through partially trusted third party
BR112018004741A2 (en) method and access device
WO2014083335A3 (en) A method and system of providing authentication of user access to a computer resource via a mobile device using multiple separate security factors
EP4246896A3 (en) Technologies for distributed detection of security anomalies
GB2525719A8 (en) Method and system for providing a vulnerability management and verification service
EP2864876A4 (en) SYSTEMS AND METHODS USING MATERIAL VIRTUALIZATION CHARACTERISTICS SUCH AS SEPARATION CORE HYPERVISORS, HYPERVISORS, HYPERVISOR GUEST CONTEXT, HYPERVISOR CONTEXT, ROOTKIT PREVENTION / DETECTION AND / OR OTHER CHARACTERISTICS
WO2016077017A3 (en) Trusted platform module certification and attestation utilizing an anonymous key system
WO2010060704A3 (en) Method and system for token-based authentication
JP2013235612A5 (en)
WO2012023122A3 (en) Authentication device and system
WO2016044270A3 (en) Paging of external memory
BR112017003018A2 (en) secure provision of an authentication credential
WO2012154780A3 (en) Independent secure element management
WO2010093636A3 (en) Devices, systems and methods for secure verification of user identity
WO2011028391A3 (en) Entropy pools for virtual machines
EP2819048A3 (en) Virtualized host ID key sharing
WO2013127715A3 (en) Permanent staining of varnished security documents
MX340269B (en) Determination of cryptographic keys.
EP2569897A4 (en) SINGLE USE PASSWORDS WITH IPSEC AND IKE VERSION 1 AUTHENTICATION

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11831226

Country of ref document: EP

Kind code of ref document: A2

ENP Entry into the national phase

Ref document number: 2813601

Country of ref document: CA

WWE Wipo information: entry into national phase

Ref document number: 2011831226

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2013532829

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2011312611

Country of ref document: AU

Date of ref document: 20110923

Kind code of ref document: A